summaryrefslogtreecommitdiff
path: root/package/iptables/files/firewall.init
blob: 2d8c5edbdb85f581f68fcf2ac43f0dcbaa95bd6e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

## Please make changes in /etc/firewall.user
START=45
start() {
	include /lib/network
	scan_interfaces
	
	config_get WAN wan ifname
	config_get WANDEV wan device
	config_get LAN lan ifname
	config_get_bool NAT_LAN lan nat 1
	if [ $NAT_LAN -ne 0 ]
	then
		config_get LAN_MASK lan netmask
		config_get LAN_IP lan ipaddr
		LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
	fi
	
	## CLEAR TABLES
	for T in filter nat; do
		iptables -t $T -F
		iptables -t $T -X
	done
	
	iptables -N input_rule
	iptables -N input_wan
	iptables -N output_rule
	iptables -N forwarding_rule
	iptables -N forwarding_wan

	iptables -t nat -N NEW
	iptables -t nat -N prerouting_rule
	iptables -t nat -N prerouting_wan
	iptables -t nat -N postrouting_rule
	
	iptables -N LAN_ACCEPT
	[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
	[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
	iptables -A LAN_ACCEPT -j ACCEPT
	
	### INPUT
	###  (connections with the router as destination)
	
	# base case
	iptables -P INPUT DROP
	iptables -A INPUT -m state --state INVALID -j DROP
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A INPUT -j input_rule
	[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
	
	# allow
	iptables -A INPUT -j LAN_ACCEPT	# allow from lan/wifi interfaces 
	iptables -A INPUT -p icmp	-j ACCEPT	# allow ICMP
	iptables -A INPUT -p gre	-j ACCEPT	# allow GRE
	
	# reject (what to do with anything not allowed earlier)
	iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
	iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
	
	### OUTPUT
	### (connections with the router as source)
	
	# base case
	iptables -P OUTPUT DROP
	iptables -A OUTPUT -m state --state INVALID -j DROP
	iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A OUTPUT -j output_rule
	
	# allow
	iptables -A OUTPUT -j ACCEPT		#allow everything out
	
	# reject (what to do with anything not allowed earlier)
	iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
	iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
	
	### FORWARDING
	### (connections routed through the router)
	
	# base case
	iptables -P FORWARD DROP 
	iptables -A FORWARD -m state --state INVALID -j DROP
	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A FORWARD -j forwarding_rule
	[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
	
	# allow
	iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
	[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
	
	# reject (what to do with anything not allowed earlier)
	# uses the default -P DROP
	
	### MASQ
	iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW 
	iptables -t nat -A PREROUTING -j prerouting_rule
	[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
	iptables -t nat -A POSTROUTING -j postrouting_rule
	### Only LAN, unless told not to
	if [ $NAT_LAN -ne 0 ]
	then
		[ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
	fi

	iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
		iptables -t nat -A NEW -j DROP

	## USER RULES
	[ -f /etc/firewall.user ] && . /etc/firewall.user
	[ -n "$WAN" -a -e /etc/config/firewall ] && {
		export WAN
		awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
	}
}

stop() {
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -F
	iptables -X
	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT
	iptables -t nat -F
	iptables -t nat -X
}